ComboFix 09-09-23.02 - Beck 09/23/2009 15:49.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.925 [GMT -6]
Running from: c:\documents and settings\Beck\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Beck\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090923-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
FILE ::
"c:\windows\system32\drivers\etc\hosts"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Beck\Local Settings\Temporary Internet Files\pse_350_enu.exe
c:\windows\system32\drivers\etc\hosts
.
((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 )))))))))))))))))))))))))))))))
.
2009-09-23 16:38 . 2009-09-23 16:39 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-09-14 03:02 . 2009-09-14 03:02 -------- d-----w- c:\windows\Sun
2009-09-12 22:08 . 2009-09-12 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-12 22:08 . 2009-09-12 22:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-12 21:37 . 2009-09-12 21:47 19517 ----a-w- c:\windows\hpqins13.dat
2009-09-09 01:06 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-01 17:48 . 2009-09-01 18:28 -------- d-----w- C:\Combo-Fix
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-23 21:11 . 2009-01-22 19:34 45504 ----a-w- c:\documents and settings\Beck\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-23 21:09 . 2009-07-31 02:54 -------- d-----w- c:\documents and settings\Beck\Application Data\Skype
2009-09-23 16:31 . 2009-07-31 02:57 -------- d-----w- c:\documents and settings\Beck\Application Data\skypePM
2009-09-23 02:44 . 2009-03-02 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-12 22:49 . 2009-04-06 19:26 -------- d-----w- c:\program files\Coupons
2009-09-12 22:48 . 2009-01-09 00:17 -------- d-----w- c:\program files\Yahoo!
2009-08-19 04:00 . 2009-08-03 03:19 -------- d-----w- c:\documents and settings\Jeramy\Application Data\Skype
2009-08-19 01:26 . 2009-08-03 03:21 -------- d-----w- c:\documents and settings\Jeramy\Application Data\skypePM
2009-08-17 16:10 . 2009-07-16 05:04 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:06 . 2009-07-16 05:05 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-17 16:06 . 2009-07-16 05:05 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-17 16:05 . 2009-07-16 05:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-07-16 05:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:04 . 2009-07-16 05:05 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-07-16 05:05 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:03 . 2009-07-16 05:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-17 16:02 . 2009-07-16 05:05 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-17 15:41 . 2009-07-31 03:24 230432 ----a-w- C:\PAP7501.dat
2009-08-07 15:56 . 2009-08-07 02:30 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-07 15:55 . 2009-08-07 02:30 -------- d-----w- c:\program files\NOS
2009-08-07 03:11 . 2005-05-04 16:36 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-07 02:51 . 2009-08-07 02:51 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-07 00:39 . 2009-08-07 00:39 -------- d-----w- c:\program files\Sun
2009-08-07 00:38 . 2009-08-07 00:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-07 00:38 . 2009-08-07 00:37 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 1980-01-01 00:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-31 02:57 . 2009-07-31 02:57 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-31 02:53 . 2009-07-31 02:53 -------- d-----r- c:\program files\Skype
2009-07-31 02:53 . 2009-07-31 02:53 -------- d-----w- c:\program files\Common Files\Skype
2009-07-31 02:53 . 2009-07-31 02:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-26 06:40 . 2009-07-26 06:39 -------- d-----w- c:\program files\MyLife Notebook Webcam
2009-07-26 06:39 . 2005-05-04 16:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-26 06:39 . 2009-07-26 06:39 -------- d-----w- c:\documents and settings\Beck\Application Data\InstallShield
2009-07-18 16:51 . 2009-07-18 16:51 0 ----a-w- c:\windows\nsreg.dat
2009-07-17 19:01 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 05:43 . 1980-01-01 00:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-13 19:36 . 2009-07-16 05:21 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 19:36 . 2009-07-16 05:21 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-03 17:09 . 1980-01-01 00:00 915456 ------w- c:\windows\system32\wininet.dll
.
(((((((((((((((((((((((((((((
SnapShot@2009-09-01_18.25.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-23 16:28 . 2009-09-23 16:28 16384 c:\windows\Temp\Perflib_Perfdata_c0.dat
+ 2009-09-23 16:29 . 2009-09-23 16:29 16384 c:\windows\Temp\Perflib_Perfdata_954.dat
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut9.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut8.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut7.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut6.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut5.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut28.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut27.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut26.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut25.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut24.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut23.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut22.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut21.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut20.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut2_1.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut19.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut18.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut17.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut16.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut15.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut14.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut13.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut12.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut11.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\NewShortcut10.BCCDD171_C13C_4D41_ACA3_0E088E5E60A9.exe
+ 2009-09-12 21:38 . 2009-09-12 21:38 25214 c:\windows\Installer\{D79113E7-274C-470B-BD46-01B10219DF6A}\ARPPRODUCTICON.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 1998-06-01 06:00 . 1998-06-01 06:00 884736 c:\windows\system32\mapi32x.dll
+ 1998-06-01 06:00 . 2004-08-03 19:07 112128 c:\windows\system32\mapi32.dll
+ 1980-01-01 00:00 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 1980-01-01 00:00 . 2009-03-08 10:33 726528 c:\windows\system32\jscript.dll
+ 2007-08-14 01:38 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2007-08-14 01:38 . 2009-03-08 10:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-09-12 21:39 . 2009-09-12 21:39 220672 c:\windows\Installer\2b00ee.msi
- 2005-05-04 16:17 . 2009-08-14 03:40 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2005-05-04 16:17 . 2009-09-10 03:32 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2005-05-04 16:17 . 2009-08-14 03:40 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-09-10 03:31 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-10 03:31 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-10 03:31 . 2009-03-08 10:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 1980-01-01 00:00 . 2008-06-18 12:03 2458112 c:\windows\system32\WMVCore.dll
+ 1980-01-01 00:00 . 2009-05-20 10:56 2458112 c:\windows\system32\WMVCore.dll
+ 1980-01-01 00:00 . 2009-05-20 10:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 1980-01-01 00:00 . 2008-06-18 12:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-08-25 20:57 . 2009-08-25 20:57 5518336 c:\windows\Installer\5de65.msp
+ 2009-09-12 21:38 . 2009-09-12 21:38 2874368 c:\windows\Installer\2b00e6.msi
+ 2005-12-06 17:04 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-16 1611480]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-07-16 25604904]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"DVDSentry"="c:\windows\system32\DSentry.exe" [2003-02-06 28672]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-11 344064]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"PAP7501_Monitor"="c:\windows\PixArt\PAP7501\GUCI_AVS.exe" [2007-12-10 323584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-07 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-05-01 73728]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-12-20 28160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-11-16 1611480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [12/9/2008 12:55 PM 15172]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [7/15/2009 11:05 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/15/2009 11:05 PM 20560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 8:55 PM 102448]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [4/23/2007 4:56 PM 92550]
S2 gupdate1c99ad4d2501070;Google Update Service (gupdate1c99ad4d2501070);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2009 7:18 PM 133104]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [1/12/2008 7:32 PM 23888]
S3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/23/2006 11:53 AM 87936]
S3 GUCI_AVS;USB2.0 UVC VGA;c:\windows\system32\drivers\GUCI_AVS.sys [7/26/2009 12:40 AM 533888]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-09-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-02 18:21]
2009-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 01:18]
2009-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-02 01:18]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.com/IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cabDPF: {20B68B0C-B018-48D5-B767-06561C6BAEBA} -
hxxp://srvlotus1:9080/integrator4.nsf/SwIntOfficeWeb.cab/$File/Integrator4.CABDPF: {7E27C5C7-A52B-450F-ADBE-EA3CE289465D} -
hxxp://srvprag1/ProposalCenterWeb/PragFormLauncher.cabDPF: {EB52CF7B-3917-11CE-80FB-0000C0C14E92} -
hxxp://srvcereports1/asp_reports/CAB/sscala32.cabFF - ProfilePath - c:\documents and settings\Beck\Application Data\Mozilla\Firefox\Profiles\6dg8h2f1.default\
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-09-23 15:54
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-09-23 15:56
ComboFix-quarantined-files.txt 2009-09-23 21:56
ComboFix2.txt 2009-09-01 18:28
Pre-Run: 22,832,046,080 bytes free
Post-Run: 22,817,525,760 bytes free
285 --- E O F --- 2009-09-10 03:36
The google icon in the address bar is back to normal and there isn't a digital certificate error so it looks like it is not being redirected now. The strange z symbol is still in the search bar though. I dont know if that info is stored in the browser so it still uses the redirected ip address for it? I'm having her uninstall and reinstall firefox to see if it gets rid of that.
What exactly did combofix do with the script? I want to understand it better. Also, now her internet has been much slower and programs have given her "not responding" errors since she ran the script. Possible side-effect?
Thanks!